How can we build secure and reliable deep learning systems for tomorrow?

We cannot answer this question without understanding the attack surfaces of deep neural networks (DNNs)—the core component of those systems. Recent work studied the attack surfaces such as mispredictions caused by adversarial examples or models altered by data poisoning. However, most of the prior work narrowly considers DNNs as an isolated mathematical concept, and it, therefore, overlooks a holistic picture—leaving out the security and privacy threats caused by vulnerable interactions between DNNs and other system components, such as hardware, systems, or software.

In this talk, I will discuss my work, studying computational properties of DNNs from a systems security perspective, that has exposed critical security and reliability threats and has steered industrial practices.  First, I will show how vulnerable DNNs are to hardware-level attacks, such as fault injection. An adversary who wields Rowhammer, a fault-injection attack that flips random or targeted bits in the physical memory, can inflict an accuracy drop up to 100% in practice. Second, I will show how vulnerable the computational savings provided by efficient deep learning algorithms are in adversarial settings. By adding human-imperceptible input perturbations, an attacker can completely offset a multi-exit network’s computational savings on an input. Third, I will show how vulnerable the common practice of applying a leading compression method (i.e., quantization) can be exploited to achieve adversarial outcomes. An adversary trains a well-performing model, and a victim who quantizes it activates malicious behaviors that were not present in the floating-point format. I will conclude my talk by discussing one on-going research for achieving my vision.